# An allow-list of commands that the Agent Proxy user can run as root.
#
# The `requiretty` is off by default. However it may be set as a system-wide
# default to prevent users from mistakenly disclosing their password. The
# aembit_agent_proxy user has no password to disclose. Additionally these
# commands are all run with the non-interactive flag.
Defaults:aembit_agent_proxy !requiretty

aembit_agent_proxy ALL=(root:root) NOPASSWD: /opt/CrowdStrike/falconctl -g --aid
aembit_agent_proxy ALL=(root:root) NOPASSWD: /usr/sbin/dmidecode --string system-serial-number
# AEMBIT_PRIVILEGED_KEYTAB aembit_agent_proxy ALL=(root:root) NOPASSWD: /usr/bin/sg aembit -c /usr/bin/curl --negotiate --user \: --fail --http1.1 {{ AGENT_CONTROLLER_LOCATION }}/api/v1/attested-document/kerberos
# AEMBIT_PRIVILEGED_KEYTAB aembit_agent_proxy ALL=(root:root) NOPASSWD: /usr/bin/sg aembit -c /usr/bin/kinit -k -t /etc/krb5.keytab '{{ SAMACCOUNT_PRINCIPAL }}' # Note the single quotes
# AEMBIT_STEERING_ALLOWED_HOSTS aembit_agent_proxy ALL=(root:root) NOPASSWD: {{ AEMBIT_AGENT_PROXY_INSTALL_DIR_SCRIPTS }}/rules.sh update *
# AEMBIT_STEERING_WITH_DOCKER_CIDR Defaults:aembit_agent_proxy env_keep+=AEMBIT_DOCKER_CONTAINER_CIDR
